Apache OpenOffice (AOO) Bugzilla – Issue 66032
Mailing lists: descriptions do not respect HTML formatting
Last modified: 2012-03-01 21:59:26 UTC
In the current SourceCast installation (2.6), when you enter HTML markup in the description of a document/file, this markup is respected when displaying the document list. In the new SourceCast installation (3.5.1), it isn't anymore. Cp. http://dba.stage.openoffice.org/servlets/ProjectMailingListList with http://dba.openoffice.org/servlets/ProjectMailingListList
reassign to support
Hi St I am checking this. Regards Karthik Support Operations
updating status whiteboard. Regards, Karthik Support Operations
I have asked my engineers to have a look at the issue,will get back to you at the earliest. Regards, Karthik Support Operations
Hello Frank, The problem that you reported is due to changes made in release 3.x. Please refer to: http://www.collab.net/rn/3_0_0.html: Issue 25737 "To prevent cross-site scripting security issues HTML, without XSS scripting tags, can be passed to the browser from specific areas of the application. Each HTML submission will be passed through a "scripting safe" filter responsible for detecting scripting tags and applying a full filter if they are encountered." Project mailing list descriptions were changed to not allow HTML markup. Thanks
In the previous post, the URL is :http://www.collab.net/rn/3_0_0.html Search for 25737.
*** Issue 66031 has been marked as a duplicate of this issue. ***
Thanks for the explanations. > Project mailing list descriptions were changed to not allow HTML markup. Is there a reason for this? I understand the security concerns if we would allow arbitrary HTML, since the HTML is filtered, anyway, why not adding project list descriptions to HTML-allowed list? Please consider this (also for document descriptions, see issue 66031), or explain why it is not an option. Thanks.
Hi Fs I will check this with my engineer and get back to you asap. Regards, Karthik Support Operations
*** Issue 66782 has been marked as a duplicate of this issue. ***
Hi Fs Upon further investigation, this was fixed in release 4.0: In earlier releases, CollabNet guarded Mailing List descriptions from cross-site scripting vulnerabilities and so did not allow allow HTML script. This did not allow the end-user to include scripts in their snippets. For example, if you were to do the following: Create a project (standard). Add a HTML script tag to the description field in a mailing list. On the UI, go to the new project's mailing list screen. You will notice that the script that you added is rendered. Solution: This has been fixed in the current release. A simple subset of HTML will be rendered now, and potentially malicious HTML will cause all HTML to be escaped. ---------------------------------- We can override the template until your site is upgraded to 4.x The same fix doesn't apply to Documents and files descriptions since they appear in a very limited location, HTML markup may be more risky. Thanks, Karthik Support Operations
Thanks, but this does mean /what/, please? I see an explanation why it is as it is, but will we be able to use HTML in the descriptions, again? If "override the template" means that HTML will be allowed then, does it also mean that we're prone to cross-site scripting, again? If so, please instead consider my suggestion: According to http://www.collab.net/rn/3_0_0.html, there's a number of places which do allow restricted HTML - is it possible to add "mailing list descriptions" to this list?
removing "stage" from the summary, as now this is a problem of the alive site.
*** Issue 67288 has been marked as a duplicate of this issue. ***
Hi Frank I shall check this with my engineers and get back to you. Thanks, Karthik Support Operations
We would be trying out the solution mentioned in des 12 in the stage box. Essentially what we would be doing is allow restricted HTML to be rendered in "mailing list descriptions" and escaped anything which seems to contain malicious HTML tags.
The changes has been applied on the production box whereby restricted HTML would be rendered in description field .Make sure that the break tags are in the format given below to correctly render . e.g issues@dba.openoffice.org mailing list needs a edit. The break tag should be <br /> and not <br/> there should be a space in-between br and /, which is missing in the issues mailing list description. Please correct the same and also confirm if the issue has been fixed.
works like a charm, thanks a lot!
verified and closing...
reopen. Only fixed in the mailing-list overview, but not in the description when viewing the archive. e.g. fixed for http://de.openoffice.org/servlets/ProjectMailingListList but not for http://de.openoffice.org/servlets/SummarizeList?listName=announce
We need to check which the engineer if the same kind of workaround we perform for the ProjectMailingListList can be perform on the link mentioned above . For now i am reopening the internal issue for their feedback on this issue .
Cloph , The workaround/changes were performed in the stage box .Verified that html are getting rendered properly . Requested the engineer to perform the same change in the production box . Also verified in the production box that the HTML the tags are not shown in the List Description field present in the archive. Closing this issue .